ELK – metricbeat dynamically splitting metrics to various kafka topics

by | Oct 11, 2023 | ElasticSearch | 0 comments

As in my previous post for winlogbeat I covered how to split logs using fields to different kafka topics using dynamic values, in this post I will cover the same thing but using metricbeat.

So again, lets say you want to direct different kinds of metrics to various topics / indices, we have the ability to add fields within the various modules.d *.yml files

So first the metricbeat.yml config needs to look something like this (add the username and password to the kakfa output if needed)

---
# modules

metricbeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: true

  # Period on which files under path should be checked for changes
  #reload.period: 10s

# Outputs

output.kafka:
  hosts:
    - saveme-1.vman.ch:6969
    - saveme-2.vman.ch:6969
    - saveme-3.vman.ch:6969
  topic: "%{[kafka_topic]}"

  ssl.enabled: true

# Logging

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: warning

Then within the system.yml

---
- module: system
  period: 10s
  metricsets:
    - uptime
    - filesystem
    - fsstat
    - cpu
    - core
    - diskio
    - memory
    - network
    - process
    - process_summary
    - socket_summary
  filesystem.ignore_types: [unknown, unavailable] #ignore CD drives, etc
  cpu.metrics: [percentages, normalized_percentages]
  fields:
    kafka_topic: metrics-windows-system
  fields_under_root: true

Here is another example for iis.yml

---
- module: iis
  metricsets:
    - webserver
    - website
    - application_pool
  enabled: true
  period: 10s
  fields:
    kafka_topic: metrics-windows-iis
  fields_under_root: true

This can be repeated multiple times in all the various .yml files for each module, this way when they hit the kafka output they will be send accordingly. Another great use case / advanced option is when using the sql.yml, you can have multiple queries with various outputs to ends up in different topics / indicies.

---
- module: sql
  metricsets:
    - query
  period: 5m
  hosts: ["sqlserver://localhost/vman"]
  username: superduperuser
  password: superduperusersecurepassword
  driver: "mssql"
  merge_results: false
  sql_queries:
    - query: "SELECT * FROM table1"
      response_format: table
  fields:
    kafka_topic: metrics-windows-mssql
    query_name: vmantable1query1
  fields_under_root: true

- module: sql
  metricsets:
    - query
  period: 30s
  hosts: ["sqlserver://localhost/vman"]
  username: superduperuser2
  password: superduperusersecurepasswordforquery2
  driver: "mssql"
  merge_results: false
  sql_queries:
    - query: "SELECT * FROM table2"
      response_format: table
  fields:
    kafka_topic: metrics-windows-mssql
    query_name: vmantable2query1
  fields_under_root: true

- module: sql
  metricsets:
    - query
  period: 1m
  hosts: ["sqlserver://localhost/vman"]
  username: superduperuser3
  password: superduperusersecurepasswordforquery2
  driver: "mssql"
  merge_results: false
  sql_queries:
    - query: "SELECT * FROM table3"
      response_format: table
  fields:
    kafka_topic: metrics-windows-mssql
    query_name: vmantable3query1
  fields_under_root: true

By adding query_name as an additional field it makes it easier to filter in Kibana.

Hope you found this helpful.

vMan

Submit a Comment

Your email address will not be published. Required fields are marked *

17 − 16 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.